Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

ac-19(4)

access control for mobile devices  | restrictions for classified information

assessment objective:

Determine if the organization:

ac-19(4)(a)  

prohibits the use of unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information unless specifically permitted by the authorizing official;

ac-19(4)(b)  

enforces the following restrictions on individuals permitted by the authorizing official to use unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information:

ac-19(4)(b)(1)  

connection of unclassified mobile devices to classified information systems is prohibited;

ac-19(4)(b)(2)  

connection of unclassified mobile devices to unclassified information systems requires approval from the authorizing official;

ac-19(4)(b)(3)  

use of internal or external modems or wireless interfaces within the unclassified mobile devices is prohibited;

ac-19(4)(b)(4)  

ac-19(4)(b)(4)[1]

defines security officials responsible for reviews and inspections of unclassified mobile devices and the information stored on those devices;

ac-19(4)(b)(4)[2]

unclassified mobile devices and the information stored on those devices are subject to random reviews/inspections by organization-defined security officials;

ac-19(4)(b)(4)[3]

the incident handling policy is followed if classified information is found;

ac-19(4)(c)  

ac-19(4)(c)[1]  

defines security policies to restrict the connection of classified mobile devices to classified information systems; and

ac-19(4)(c)[2]  

restricts the connection of classified mobile devices to classified information systems in accordance with organization-defined security policies.

potential assessment methods and objects:

Examine: [select from: Access control policy; incident handling policy; procedures addressing access control for mobile devices; information system design documentation; information system configuration settings and associated documentation; evidentiary documentation for random inspections and reviews of mobile devices; information system audit records; other relevant documents or records].

Interview: [select from: Organizational personnel responsible for random reviews/inspections of mobile devices; organizational personnel using mobile devices in facilities containing information systems processing, storing, or transmitting classified information; organizational personnel with incident response responsibilities; system/network administrators; organizational personnel with information security responsibilities].

Test: [select from: Automated mechanisms prohibiting the use of internal or external modems or wireless interfaces with mobile devices].